OpenVPN alternative configurations

Back to OpenVPN main

Back to extension section

OpenVPN-clientconnection to company-network

To establish a connection of my home-network to our company-network, I have installed an openVPN-tunnel, where my side acts as the client. On the company-side a corresponding openVPN-server has to be set up, and routing and firewall-settings have to be set accordingly.

The directory /var/ipfire/ovpn/ contains:

  • karls.conf the configuration-file of the tunnel
  • bfi-ca.crt root-certificate of my company
  • karls.crt my public key
  • karls.key my private key

My configuration-file karls.conf looks like (comments removed):
filename = /var/ipfire/ovpn/karls.conf

dev tun
remote test.firma.at
ifconfig 192.168.250.38 192.168.250.37
tls-client
tls-remote /C=AT/ST=Land/O=Firma/OU=edv/CN=Office
ca /var/ipfire/ovpn/firma-ca.crt
cert /var/ipfire/ovpn/karls.crt
key /var/ipfire/ovpn/karls.key
port 5010
comp-lzo
ping 15
ping-restart 45
verb 3
# since there are multiple subnets 192.168.x.0/24 in the main office
route 192.168.0.0 255.255.0.0 192.168.250.37

Since I don't use my IPFire as server, I have to start the tunnel with a script. To get it executed at system-startup, you have to add to the end of /etc/sysconfig/rc.local:

# start openvpn-tunnel to main-office
modprobe tun
openvpn --config /var/ipfire/ovpn/karls.conf –-daemon

Since my tunnel stoped during the night from time to time, I wrote a (not very beautiful) script to check the connection every 30 minutes and restart if necessary.

fcrontab -e

opens the table of cron-jobs for editing. To test every 30 minutes, you add a line like:

10,40 * * * *   /var/ipfire/ovpn/tunneltest

The contents of the script are:

#!/bin/bash
# this script tests a tunnel-connection and restarts the tunnel when down
T=192.168.250.37
config="/var/ipfire/ovpn/karls.conf"
ifconfig | grep tun0 > /dev/null
t=$?
if [ "$t" != 0 ]; then
    echo "no tunnel-device available"
    logger -t TUNTEST "no tunnel-device available"
    modprobe tun
    openvpn --config $config --daemon
    logger -t TUNTEST "tunnel started"
fi
echo "pinging now"
logger -t TUNTEST "pinging now"
ping -c 1 $T > /dev/null
if [ "$?" != 0 ]; then
    openvpn --config $config --daemon
    echo "tunnel restarted"
    logger -t TUNTEST "tunnel restarted"
else
    echo "tunnel OK"
    logger -t TUNTEST "tunnel OK"
fi
exit 0

VPN to multiple subnets

To configure openVPN to route to more than one subnet, you have to edit /var/ipfire/ovpn/server.conf!
Connect to IPFire via ssh as root first. Open the .conf-file with your editor of choice (vi, vim, nano, ...).

nano /var/ipfire/ovpn/server.conf

You will see a file much like (depends on the settings!):
filename = /var/ipfire/ovpn/server.conf

#OpenVPN Server conf

daemon openvpnserver
writepid /var/run/openvpn.pid
#DAN prepare OpenVPN for listening on blue and orange
;local localdomain
dev tun
tun-mtu 1400
proto udp
port 1194
tls-server
ca /var/ipfire/ovpn/ca/cacert.pem
cert /var/ipfire/ovpn/certs/servercert.pem
key /var/ipfire/ovpn/certs/serverkey.pem
dh /var/ipfire/ovpn/ca/dh1024.pem
server 10.207.39.0 255.255.255.0
push "route 192.168.0.0 255.255.255.0"
keepalive 10 60
status-version 1
status /var/log/ovpnserver.log 30
cipher DESX-CBC
comp-lzo.
max-clients 100
tls-verify /var/ipfire/ovpn/verify
crl-verify /var/ipfire/ovpn/crls/cacrl.pem
user nobody
group nobody
persist-key
persist-tun
verb 3

The important part here is:

push "route 192.168.0.0 255.255.255.0"

It tells the client-PC to send packets, destined to 192.168.0.x, over the VPN. To add the subnet 192.168.1.x, you have to add to the .conf-file:

push "route 192.168.1.0 255.255.255.0"

After the modification server.conf could look like:
filename = /var/ipfire/ovpn/server.conf

#OpenVPN Server conf

daemon openvpnserver
writepid /var/run/openvpn.pid
#DAN prepare OpenVPN for listening on blue and orange
;local localdomain
dev tun
tun-mtu 1400
proto udp
port 1194
tls-server
ca /var/ipfire/ovpn/ca/cacert.pem
cert /var/ipfire/ovpn/certs/servercert.pem
key /var/ipfire/ovpn/certs/serverkey.pem
dh /var/ipfire/ovpn/ca/dh1024.pem
server 10.207.39.0 255.255.255.0
push "route 192.168.0.0 255.255.255.0"
push "route 192.168.1.0 255.255.255.0"
keepalive 10 60
status-version 1
status /var/log/ovpnserver.log 30
cipher DESX-CBC
comp-lzo
max-clients 100
tls-verify /var/ipfire/ovpn/verify
crl-verify /var/ipfire/ovpn/crls/cacrl.pem
user nobody
group nobody
persist-key
persist-tun
verb 3

Now you can communicate with the computers in subnet 192.168.1.0/24 too!

Back to extension section

Back to OpenVPN main

Edit Page ‐ Yes, you can edit!

Older Revisions • December 8 at 10:31 pm • Jon